Cyber espionage

The report notes that documents the researchers recovered were
found with “Secret,” “Restricted” and “Confidential” notices. “These
documents,” the report says, “contain sensitive information taken from a member
of theNational Security CouncilSecretariat
concerning secret assessments of India’s security situation in the states of
Assam, Manipur, Nagaland and Tripura, as well as concerning the Naxalites and
Maoists,” two opposition groups.

TORONTO — Turning the tables on a China-based
computer espionage gang, Canadian and United States computer security
researchers have monitored a spying operation for the past eight months,
observing while the intruders pilfered classified and restricted documents from
the highest levels of the Indian Defense Ministry.

In a report issued
Monday night, the researchers, based at the Munk School of Global Affairs at
the University of Toronto, provide a detailed account of how a spy operation it
called the Shadow Network systematically hacked into personal computers in
government offices on several continents.

The Toronto spy hunters not only learned what kinds of
material had been stolen, but were able to see some of the documents, including
classified assessments about security in several Indian states, and
confidential embassy documents about India’s
relationships in West Africa, Russia and the Middle East. The intruders breached
the systems of independent analysts, taking reports on several Indian missile
systems. They also obtained a year’s worth of the Dalai Lama’s
personal e-mail messages.

The intruders even stole documents related to the travel
of NATO forces in Afghanistan, illustrating
that even though the Indian government was the primary target of the attacks,
one chink in computer security can leave many nations exposed.

“It’s not only that you’re only secure as the weakest
link in your network,” said Rafal Rohozinski, a member of the Toronto team.
“But in an interconnected world, you’re only as secure as the weakest link in
the global chain of information.”

As recently as early March, the Indian communications
minister, Sachin Pilot, told reporters that government networks had been
attacked by China, but that “not one attempt has been successful.” But on March
24, the Toronto researchers said, they contacted intelligence officials in
India and told them of the spy ring they had been tracking. They requested and
were given instructions on how to dispose of the classified and restricted
documents.

On Monday, Sitanshu Kar, a spokesman for the Indian
Defense Ministry, said officials were “looking into” the report, but had no
official statement.

The attacks look like the work of a criminal gang based
in Sichuan Province, but as with all cyberattacks, it is easy to mask the true
origin, the researchers said. Given the sophistication of the intruders and the
targets of the operation, the researchers said, it is possible that the Chinese
government approved of the spying.

When asked about the new report on Monday, a propaganda
official in Sichuan’s capital, Chengdu, said “it’s ridiculous” to suggest that
the Chinese government might have played a role. “The Chinese government
considers hacking a cancer to the whole society,” said the official, Ye Lao.
Tensions have risen between China and the United States this year after a statement
by Google in
January that it and dozens of other companies had been the victims of computer
intrusions coming from China.

The spy operation appears to be different from the
Internet intruders identified by Google and from a surveillance ring known as
Ghostnet, also believed to be operating from China, which the Canadian
researchers identified in March of last year. Ghostnet used computer servers
based largely on the island of Hainan to steal documents from the Dalai Lama,
the exiled Tibetan spiritual leader, and governments and corporations in more
than 103 countries.

TheGhostnet
investigation led the researchers to this second Internet spy
operation, which is the subject of their new report, titled “Shadows in the
Cloud: An investigation Into Cyberespionage 2.0.” The new report shows that the
India-focused spy ring made extensive use of Internet services like Twitter,
Google Groups, Blogspot, blog.com, Baidu Blogs
and Yahoo! Mail
to automate the control of computers once they had been infected.

The Canadian researchers cooperated in their
investigation with a volunteer group of security experts in the United States
at theShadowserver Foundation, which focuses on
Internet criminal activity.

“This would definitely rank in the sophisticated range,”
said Steven Adair, a security research with the group. “While we don’t know
exactly who’s behind it, we know they selected their targets with great care.”

By gaining access to the control servers used by the
second cyber gang, the researchers observed the theft of a wide range of
material, including classified documents from the Indian government and reports
taken from Indian military analysts and corporations, as well as documents from
agencies of the United
Nations and other governments.

“We snuck around behind the backs of the attackers and
picked their pockets,” said Ronald J. Deibert, a political scientist who is
director of the Citizen Lab, a cybersecurity research group at the Munk School.
“I’ve not seen anything remotely close to the depth and the sensitivity of the
documents that we’ve recovered.”

The researchers said the second spy ring was more
sophisticated and difficult to detect than the Ghostnet operation.

By examining a series of e-mail addresses, the
investigators traced the attacks to hackers who appeared to be based in
Chengdu, which is home to a large population from neighboring Tibet.
Researchers believe that one hacker used the code name “lost33” and that he may
have been affiliated with the city’s prestigious University of Electronic
Science and Technology. The university publishes books on computer hacking and
offers courses in “network attack and defense technology” and “information
conflict technology,” according to its Web site.

The People’s Liberation Army also operates a technical
reconnaissance bureau in the city, and helps finance the university’s research
on computer network defense. A university spokesman could not be reached Monday
because of a national holiday.

The investigators linked the account of another hacker to
a Chengdu resident whose name appeared to be Mr. Li. Reached by telephone on
Monday, Mr. Li denied taking part in computer hacking. Mr. Li, who declined to
give his full name, said he must have been confused with someone else. He said
he knew little about hacking. “That is not me,” he said. “I’m a wine seller.”

The Canadian researchers stressed that while the new spy
ring focused primarily on India, there were clear international ramifications.
Mr. Rohozinski noted that civilians working for NATO and the reconstruction
mission in Afghanistan usually traveled through India and that Indian
government computers that issued visas had been compromised in both Kandahar
and Kabul in Afghanistan.

“That is an operations security issue for both NATO and
the International Security Assistance Force,” said Mr. Rohozinski, who is also
chief executive of the SecDev Group, a Canadian computer security consulting
and research firm.

The report notes that documents the researchers recovered
were found with “Secret,” “Restricted” and “Confidential” notices. “These
documents,” the report says, “contain sensitive information taken from a member
of the National Security Council Secretariat
concerning secret assessments of India’s security situation in the states of Assam,
Manipur, Nagaland and Tripura, as well as concerning the Naxalites and
Maoists,” two opposition groups.

Other documents included personal information about a
member of the Indian Directorate General of Military Intelligence.

The researchers also found evidence that Indian Embassy
computers in Kabul, Moscow and Dubai, United Arab Emirates, and at the High
Commission of India in Abuja, Nigeria had been compromised.

Also compromised were computers used by the Indian
Military Engineer Services in Bengdubi, Calcutta, Bangalore and Jalandhar; the
21 Mountain Artillery Brigade in Assam and three air force bases. Computers at
two Indian military colleges were also taken over by the spy ring.

Even after eight months of watching the spy ring, the
Toronto researchers said they could not determine exactly who was using the
Chengdu computers to infiltrate the Indian government.

“But an important question to be entertained is whether
the P.R.C. will take action to shut the Shadow Network down,” the report says,
referring to the People’s Republic of China. “Doing so will help to address
longstanding concerns that malware ecosystems are actively cultivated, or at
the very least tolerated, by governments like the P.R.C. who stand to benefit
from their exploits though the black and gray markets for information and
data.”

John
Markoff reported from Toronto, and David Barboza from Shanghai. Vikas Bajaj
contributed reporting from Mumbai, India.

The report, 'Shadow in the Clouds', said the
intruders breached the systems of independent analysts, taking reports on
several Indian missile systems. They also obtained a year’s worth of the Dalai
Lama’s personal e-mail messages

CMN Correspondent

Tuesday, April 06, 2010

TORONTO, CANADA: In an apparent threat to the Indian defence system, Chinese
hackers have reportedly broken into top secret files of the Indian Defence
Ministry and embassies around the world.

Citing a report, 'Shadow in the Clouds', The New York Times said the
Canadian and American computer security researchers have monitored a Chinese
spying operation for the past eight months, observing while the intruders
pilfered classified and restricted documents from the highest levels of the
Indian Defense Ministry.

In a report issued Monday night, the
researchers, based at the Munk School of Global Affairs at the University of
Toronto, provide a detailed account of how a spy operation it called the
'Shadow Network' systematically hacked into personal computers in government
offices on several continents.

According to it, the “Toronto spy hunters not
only learned what kinds of material had been stolen, but were able to see some
of the documents, including classified assessments about security in several
Indian states, and confidential embassy documents about India’s relationships
in West Africa, Russia and the Middle East.”

The report said the intruders breached the
systems of independent analysts, taking reports on several Indian missile
systems. They also obtained a year’s worth of the Dalai Lama’s personal e-mail
messages.

Recently, Minister of State for IT and
Communications, Sachin Pilot had told reporters that government networks had
been attacked by China, but that “not one attempt has been successful”.

But the latest report has apparently made the
government press the panic button.

“On March 24, the Toronto researchers said,
they contacted intelligence officials in India and told them of the spy ring
they had been tracking. They requested and were given instructions on how to
dispose of the classified and restricted documents,” the report added.

Though the attacks look like the work of a
criminal gang based in Sichuan Province, as with all cyber attacks, it is easy
to mask the true origin, the researchers said. Given the sophistication of the
intruders and the targets of the operation, the researchers said, it is
possible that the Chinese government approved of the spying.

The documents hacked by the criminals contain
sensitive information taken from a member of the National Security Council
Secretariat concerning secret assessments of India’s security situation in the
states of Assam, Manipur, Nagaland and Tripura, as well as concerning the
Naxalites and Maoists, according to NYT

There was evidence that Indian Embassy
computers in Kabul, Moscow and Dubai, United Arab Emirates, and at the High
Commission of India in Abuja, Nigeria had been compromised, it added.

Computers used by the Indian Military
Engineer Services in Bengdubi, Calcutta, Bangalore and Jalandhar; the 21
Mountain Artillery Brigade in Assam and three air force bases were compromised,
and computers at two Indian military colleges were also taken over by the spy
ring, the NYT quoted the report as saying.

NEW YORK: Major Indian missile and armament
systems may have been compromised as Chinese hackers have reportedly broken
into top secret files of the Indian Defence Ministry and embassies around the
world.

Among the systems leaked out could be Shakti, the just introduced advanced
artillery combat and control system of the Indian Army and the country's new
mobile missile defence system called the Iron Dome.

A new report called 'Shadow in the Clouds' by Canadian and American researchers
based at the University of Toronto has said that a spy operation called 'Shadow
Network' based out of China has tapped into top secret files of the Indian
government.

In the investigations conducted over eight months, the report claimed that
systematic cyber espionage was carried out from servers located in China that
"compromised" government, business, academic and other computer
network systems in India.

The report finds that Indian government related entities, both in India and
throughout the world, had been thoroughly compromised.

These included computers at Indian embassies in Belgium, Serbia, Germany,
Italy, Kuwait, the United States, Zimbabwe, and the High Commissions of India in
Cyprus and the United Kingdom.

"These include documents from the Offices of the Dalai Lama and agencies
of the Indian national security establishment," the report said.

"Data containing sensitive information on citizens of numerous third-party
countries, as well as personal, financial, and business information, were also
exfiltrated and recovered during the course of the investigation," it
said.

"Recovery and analysis of exfiltrated data, including one document that
appears to be encrypted diplomatic correspondence, two documents marked
"SECRET", six as "RESTRICTED", and five as
"CONFIDENTIAL". These documents are identified as belonging to the
Indian government," it added.

These documents contain sensitive information taken from a member of the National
Security Council Secretariat concerning secret assessments of India's security
situation in the states of Assam, Manipur, Nagaland and Tripura, as well as
concerning the Naxalites and Maoists.

In addition, they contain confidential information taken from Indian embassies
regarding India's international relations with and assessments of activities in
West Africa, Russia/Commonwealth of Independent States and the Middle East, as
well as visa applications, passport office circulars and diplomatic correspondence.

However, the researchers note that there is no direct evidence that these were
stolen from Indian government computers and they may have been compromised as a
result of being copied onto personal computers.

Recovered documents also included presentations relating to the following
projects:Pechora Missile System - an anti-aircraft surface-to-air missile
system, Iron Dome Missile System - a mobile missile defence system
(Ratzlav-Katz 2010) and Project Shakti - an artillery combat command and control
system (Frontier India 2009).

The report also finds that the spies also hacked into information on visa
applications submitted to Indian diplomatic missions in Afghanistan.

This data was voluntarily provided to the Indian missions by nationals of 13
countries as part of the regular visa application process.

"In a context like Afghanistan, this finding points to the complex nature
of the information security challenge where risks to individuals (or
operational security) can occur as a result of a data compromise on secure
systems operated by trusted partners," the report said.

The investigation also said that 1,500 letters sent from the Dalai Lama's
office between January and November 2009, were also leaked out.

The researchers noted that while there was no clear insight into the motives of
the spies, "the theme appears to involve topics that would likely be of
interest to the Indian and Tibetan communities".

TORONTO, April
5 /CNW/ - The Information Warfare Monitor
(Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) and
the Shadowserver Foundation announce the release of Shadows in the Cloud: An
investigation into cyber espionage 2.0.

The report documents a complex ecosystem of
cyber espionage that systematically targeted and compromised computer systems
in India, the Offices of the Dalai Lama, the United Nations, and
several other countries.

Members of the research team are holding a
news conference at 11
a.m. on Tuesday, April 6, to
discuss their latest findings and to answer questions from the media. The news
conference will also be webcast live at:

The news conference will be held at the
Campbell Conference Facility, Munk Centre for International Studies, 1
Devonshire Place,Toronto, (416-946-8900).

NOTE: Reporters unable to attend the news
conference may e-mail questions during the event tomedia.relations@utoronto.ca. The questions will be
relayed to the panel for response.

The
investigation recovered a large quantity of stolen documents - including
sensitive and classified materials - belonging to government, business,
academic, and other computer network systems and other politically sensitive
targets. These include documents from agencies of the Indian national security
establishment, and the Offices of the Dalai Lama. The stolen data included information
voluntarily provided to Indian embassies and consulates by third-party
nationals, including Canadian visa applications, as well as those belonging to
citizens of other countries. Additionally, sensitive personal, financial, and
business information belonging to Indian officials was systematically harvested
and exfiltrated by the attackers.

The report analyzes the malware ecosystem
employed by the Shadows' attackers. The system leveraged multiple redundant
cloud computing systems, social networking platforms, and free web hosting
services in order to maintain persistent control while operating core servers
located in the People's Republic of China (PRC).
Although the identity and motivation of the attackers remain unknown, the
report provides evidence that the attackers operated or staged their operations
from Chengdu, PRC.

Summary of main findings:

-Complex cyber espionage
network - Documented evidence of a cyber

espionage network that compromised government, business, and academic

computer systems in India, the Office of the Dalai Lama, and the

United Nations. Numerous other institutions, including the Embassy of

Pakistan in the United States, were also compromised. Some of these

institutions can be positively identified, while others cannot.

-Theft of classified and
sensitive documents - Recovery and analysis

of exfiltrated data, including one document that appears to be

encrypted diplomatic correspondence, two documents marked
"SECRET",

six as "RESTRICTED", and five as "CONFIDENTIAL".
These documents are

identified as belonging to the Indian government. However, we do not

have direct evidence that they were stolen from Indian government

computers and they may have been compromised as a result of being

copied by Indian officials onto personal computers. The recovered

documents also include 1,500 letters sent from the Dalai Lama's

office between January and November 2009. The profile of documents

recovered suggests that the attackers targeted specific systems and

profiles of users.

-Evidence of Collateral
Compromise -A portion of the recovered
data

included visa applications submitted to Indian diplomatic missions in

Afghanistan. This data was voluntarily provided to the Indian

missions by nationals of 13 countries as part of the regular visa

application process. In a context like Afghanistan, this finding

points to the complex nature of the information security challenge

where risks to individuals (or operational security) can occur as a

result of a data compromise on secure systems operated by trusted

partners.

-Command-and-control
infrastructure that leverages cloud-based social

media services - Documentation of a complex and tiered command and

control infrastructure, designed to maintain persistence. The

infrastructure made use of freely
available social media systems that

include Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and

Yahoo! Mail. This top layer directed compromised computers to

accounts on free web hosting services, and as the free hosting

servers were disabled, to a stable core of command and control

servers located in the PRC.

-Links to Chinese hacking
community - Evidence of links between the

Shadow network and two individuals living in Chengdu, PRC to the

underground hacking community in the PRC.

About
the Researcher Collaboration:

This investigation is a result of a
collaboration between the Information Warfare Monitor and the Shadowserver
Foundation. The Information Warfare Monitor (infowar-monitor.net) is a joint
activity of the Citizen Lab, Munk School of Global Affairs, University ofToronto, and
the SecDev Group, an operational consultancy based in Ottawa specialising in evidence-based research in countries and
regions under threat of insecurity and violence.

The
Shadowserver Foundation (shadowserver.org) was established in 2004 and is
comprised of volunteer security professionals that investigate and monitor
malware, botnets, and malicious attacks. Both the Information Warfare Monitor
and the Shadowserver Foundation aim to inform the field of cyber security
through accurate, evidence-based assessments and investigations.

Principal
Investigators' Bio and Comments:

Steven Adairis a
security researcher with the Shadowserver Foundation. He frequently analyzes
malware, tracks botnets, and deals with cyber attacks of all kinds with a
special emphasis on those linked to cyber espionage. "This report is a
fascinating look at the activities of individuals involved in cyber espionage.
It is unfortunately just a small piece of a very big pie. This is a problem
that goes well beyond those detailed in this report and affects organizations
and missions of all sizes all over the globe."

Ron Deibertis
Director of the Citizen Lab at the Munk School of Global Affairs, University of Toronto. He
is a co-founder and principal investigator of the OpenNet Initiative and
Information Warfare Monitor. He is Vice President, Policy and Outreach, Psiphon
Inc., and a principal with the SecDev Group. "It is often said that dark
clouds have silver linings. What the Shadow report shows is that the social
media clouds of cyberspace we rely upon today have a dark, hidden core. There
is a vast, subterranean ecosystem to cyberspace within which criminal and
espionage networks thrive. The Shadow network we uncovered was able to reach
into the upper echelon of the Indian national security establishment, as well
as many other institutions, and extract sensitive information from unwitting
victims. Networks such as these thrive because of a vacuum at the global level.
Governments are engaged in a competitive arms race in cyberspace, which
prevents cooperation on global cyber security. For its part, the Canadian
government has neither a domestic cyber security strategy or a foreign policy
for cyberspace. The Shadow report should offer a wakeup call that rectifies
this situation, or we may find that we are the next victim of the Shadows and
GhostNets of cyberspace."

Rafal Rohozinski is CEO of the SecDev Group
and Psiphon Inc. He is a co-founder and principal investigator of the OpenNet
Initiative and Information Warfare Monitor, and a senior research advisor at
the Citizen Lab, Munk School of Global Affairs, University ofToronto.
"Cyber espionage has gone industrial. We are witnessing cloud-based
techniques and tradecraft from cybercrime being repurposed to target government
systems and computers belonging to officials entrusted with state or commercial
secrets. Whether the attackers are working for state agencies, or freelancing
and selling stolen data or tradecraft on the global graymarket - this report is
a clear wake-up call that the threat of advanced persistent threats is very
real and requires measured international action. First and foremost, we need an
agreement on the norms that should govern cyberspace similar to the treaties we
presently have for outer space, the sea or other domains where we have
international agreements. We must take care to preserve the openness of the global
commons without precipitating an overreaction that could diminish or even roll
back the very real gains in knowledge, empowerment, and to democratization that
cyberspace has catalyzed over the last 20 years. We must balance the need to
create policies and practices appropriate to information security in a global
networked age, while preventing unnecessary overreaction to what we fear as the
dark side of the net."

Nart Villeneuve is the Chief Security Officer
at the SecDev Group, Director of Operations of Psiphon Inc. and a senior SecDev
research fellow at the Citizen Lab at the Munk School of Global Affairs,
University of Toronto where he focuses on electronic surveillance, targeted
malware and politically motivated digital attacks. "There is no direct evidence
linking these attacks to the Chinese government. We look forward to working
with China CERT to shut down this malware network."

Greg Waltonconducted
and coordinated the primary field-based research for the Shadow investigation
in His Holiness The Dalai Lama's Office and the Tibetan Government-in-Exile in
Dharamsala, India. Greg is a SecDev Group associate and editor of the
Information Warfare Monitor website. He is the SecDev Fellow at the Citizen Lab
at the Munk School of Global Affairs, University ofToronto.